Tag Archives: Privacy

Kim Dotcom’s Extradition Appeal Gets Underway

Post Syndicated from Andy original https://torrentfreak.com/dotcom-extradition-appeal-gets-underway-160829/

kim-courtIn 2012, Megaupload was shut down in a massive international operation. At the time the file-storage site had been one of the most-visited on the planet with around 100 million users.

U.S. authorities subsequently claimed that Megaupload illegally generated more than US$175 million and cost copyright owners more than $0.5bn in lost business.

The former operators of Megaupload – Kim Dotcom, Mathias Ortmann and Bram van der Kolk – insist that their business was a completely legal cloud storage platform so any infringement carried out by their users was not their responsibility. They are all fighting their cases from New Zealand where they are residents.

Last December, after almost ten weeks of hearings, District Court Judge Nevin Dawson found there was an “overwhelming” case for Kim Dotcom, Mathias Ortmann and Bram van der Kolk, to be extradited to the United States. There they face decades in jail on various charges including copyright infringement, money laundering, and racketeering.

Today, around a dozen lawyers were present in New Zealand’s High Court as Dotcom and his former colleagues mounted a formal appeal of last year’s extradition decision. The trio say that Judge Nevin Dawson didn’t give them a fair hearing.

The appeal is expected to last six to eight weeks but it began without Dotcom in attendance. He arrived after the hearing began and sat at the back with girlfriend Elizabeth Donelly. NZ’s Radio Live reported that the Megaupload founder appeared “relaxed”.

While Dotcom was not presenting argument today his lawyer Ron Mansfield told the court that due to the unprecedented issues involved and the international interest in the case, the hearing should be live streamed.

Mansfield said that a complex case of this nature is unlikely to receive balanced reporting so a live stream could ensure that all information is made available for public scrutiny. That could be done via YouTube, he said, with a 10-minute delay to ensure any sensitive material could be withheld.

A decision on that request wasn’t made right away, however. Judge Murray Gilbert said that the streaming request had been submitted late so he wanted to give representatives from the media time to consider the request and make their submissions. As previously reported, the United States government is objecting to the application.

Public interest in the case is undoubtedly high. Dotcom has become somewhat of a celebrity locally in New Zealand and he has a huge profile online as a serial entrepreneur, privacy activist, and video gamer. Unsurprisingly the public gallery in the High Court was full, with one man reportedly standing outside waving a banner claiming that Dotcom’s persecution is part of a CIA conspiracy.

With Dotcom not expected to speak until later next week, the hearing began with representation from Grant Illingworth QC, the lawyer representing Mathias Ortmann and Bram van der Kolk.

Illingworth said that the hearing had been unfair since the United States had denied the defendants the opportunity to hire specialist US-based technology experts who could help to support their defense.

He said that the case against the former Megaupload operators “had gone off the rails” and their extradition should be halted since the District Court had shown “extraordinary disinterest” in their arguments at the earlier hearing.

“It’s like ships passing in the night with no radar — the judge simply did not engage with the arguments in a meaningful way,” Illingworth said.

Pointing to alleged breaches of conduct by U.S. authorities, Illingworth
said that a situation of urgency had been manufactured in order to achieve procedural shortcuts.

There had been a “covering up” of unlawful activities preceding the arrests in 2012 and “downstream attempts to cover that up including a police officer giving incorrect information to this court, [and] unlawfully sending clones of hard drives overseas.”

Arguments for Mathias Ortmann and Bram van der Kolk are expected to take around eight days but the whole process is forecast to be a drawn-out affair. In the District Court the extradition hearing was supposed to take four weeks but actually took ten.

This time around the actions of the District Court will be picked over in fine detail, concentrating closely on numerous matters of law.

The United States Department of Justice isn’t expected to begin its arguments for another three weeks or so.

The hearing continues tomorrow but it’s unlikely that any final decision will arrive even this year. Dotcom and his rivals in the US both seem prepared to take this battle all the way to the Supreme Court in New Zealand if necessary. That could take years.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

HostSailor Threatens to Sue KrebsOnSecurity

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/08/hostsailor-threatens-to-sue-krebsonsecurity/

Earlier this month, KrebsOnSecurity published The Reincarnation of a Bulletproof Hoster, which examined evidence suggesting that a Web hosting company called HostSailor was created out of the ashes of another, now-defunct hosting firm notorious for harboring spammers, scammers and other online ne’er-do-wells. Today, HostSailor’s lawyers threatened to sue this author unless the story is removed from the Web.

Obviously, I stand by my reporting and have no intention of unpublishing stories. But I’m writing about HostSailor again here because I promised to post an update if they ever responded to my requests for comment.

The letter, signed by Abdullah Alzarooni Advocates in Dubai — where HostSailor says it is based — carries the subject line, “Warning from Acts of Extortion and Abuse of the Privacy of Third Parties.” It lists a number of links to content the company apparently finds objectionable.

Could this same kind of legal pressure be why security industry giant Trend Micro removed all reference to HostSailor from the report that started all this? Trend hasn’t responded to direct questions about that.

Astute readers will notice in the letter (pasted below) a link to a Twitter message from this author among the many things HostSailor’s lawyers will like me to disappear from the Internet. That tweet to HostSailor’s Twitter account read:

“Potential downside of reporting ISIS sites: The hosting firm (ahem @HostSailor) may share your info/name/report with ISIS. Opsec, people!”

I sent that tweet after hearing from a source with whom I’ve been working to report sites affiliated with the jihadist militant group ISIS. The source had reported to HostSailor several of its Internet addresses that were being used by a propaganda site promoting videos of beheadings and other atrocities by ISIS, and he shared emails indicating that HostSailor had simply forwarded his abuse email on to its customer — complete with my source’s name and contact information. Thankfully, he was using a pseudonym and throwaway email address.

HostSailor’s twitter account responded by saying that the company doesn’t share information about its customers. But of course my tweet was regarding information shared about someone who is not a HostSailor customer.

This isn’t the first time KrebsOnSecurity has been threatened with lawsuits over stories published here. The last time I got one of these letters was in Sept. 2015, from a lawyer representing AshleyMadison’s former chief technology officer. The year before, it was Sony Pictures Entertainment, whose lawyers lashed out a large number of publications for too closely covering its epic and unprecedented data breach in 2014.

Prior to that, I received some letters from the lawyers for Igor Gusev, one of the main characters in my book, Spam Nation. Mr. Gusev’s attorneys insisted that I was publishing stolen information — pictures of him, financial records from his spam empire “SpamIt” — and demanded that I remove all offending items and publish an apology.

My attorney in that instance laughed out loud when I shared the letter from Gusev’s lawyers, calling it a “blivit.” When I apparently took more than a moment to get the joke, he explained that a “blivit” is a term coined by the late great author Kurt Vonnegut, who defined it as “two pounds of shit in a one-pound bag.”

Only time will tell if this letter is a blivit as well. I’ve taken the liberty of sanitizing the PDF document it came in, and converting that into two image files – in case anyone wants to take a look.

An emailed "legal notice" I apparently received from a law firm in Dubai, demanding that I unpublish an unflattering story about HostSailor.

An emailed “legal notice” I apparently received from a law firm in Dubai, demanding that I unpublish an unflattering story about HostSailor.

Rintel: NetworkManager 1.4: with better privacy and easier to use

Post Syndicated from ris original http://lwn.net/Articles/698287/rss

Lubomir Rintel takes
a look
at new features in NetworkManager 1.4. “It is now possible to randomize the MAC address of Ethernet devices to mitigate possibility of tracking. The users can choose between different policies; use a completely random address, or just use different addresses in different networks. For Wi-Fi devices, the same randomization modes are now supported and does no longer require support from wpa-supplicant.
Also a newly added API for using configuration snapshots that automatically
roll back after a timeout, IPv6 tokenized interface identifiers can be
configured, new features in nmcli, and more are covered. (Thanks
to Paul Wise)

Dotcom Wants Extradition Hearing Live-Streamed, U.S. Does Not

Post Syndicated from Andy original https://torrentfreak.com/dotcom-wants-extradition-hearing-live-streamed-u-s-does-not-160825/

kimfugitiveEarlier this month, Kim Dotcom experienced a setback when the 4th Circuit Court of Appeals rejected his efforts to regain control over millions of dollars in assets seized by the US Government.

Branding the Megaupload founder a fugitive, the Court effectively denied Dotcom the ability to properly defend himself, should he be extradited to the United States from New Zealand.

Together with his former Megaupload colleagues Mathias Ortmann, Bram van der Kolk and Finn Batato, Dotcom was found eligible for extradition to the United States last December. His appeal will take place at the High Court in Auckland this month and Dotcom wants the whole world to see.

While many jurisdictions internationally will not grant permission for a live video or audio feed to be transmitted from a courtroom, in New Zealand the proposition is not out of the question.

All courts nationwide allow cameras and the recording of proceedings, as long as there are no serious privacy breaches, compromising of witnesses, or risks to the right to a fair trial.

Just recently the Chief Justice requested a report from a panel of judges on guidelines relating to recording in court. The report (pdf) found that 93% of District and High Court Judges had not experienced an instance where recording in court had resulted in a fair trial issue arising.

While the panel’s recommendations were accepted by the Chief Justice, live-streaming of court proceedings did not receive widespread support among submissions from judges. However, upon successful application and in important cases such as Dotcom’s, such transmissions can go ahead.

“Live-streaming may be an available option, particularly if there are fixed cameras in court.Live streaming will remain an option in certain major cases, and would be considered if an application is made,” the Judges’ recommendations read.

While it’s possible that Dotcom’s application will be accepted, no feed coming out of the High Court would be truly live. All transmissions would be subjected to a 10-minute delay to protect all parties involved in proceedings.

“A meaningful check on actual publication gives Judges and counsel the opportunity to consider evidence as it is adduced, and decide on whether suppression is appropriate in a measured way,” the Judges note.

“We are aware of numerous instances when that delay has been critical
to give a Judge time to stop an otherwise potentially disastrous publication. A short delay is a small price to pay for in-court coverage.”

But while Dotcom and his legal team are clearly in favor of having the six-week hearing transmitted (almost) live, the U.S. Government is reportedly pulling in the opposite direction. Dotcom reports that his application has already received objections from lawyers in the United States.

At the time of publication, Dotcom hadn’t responded to our request for comment so the grounds for the US Government’s objection aren’t yet clear. However, the media circuses surrounding the televised trials of both O.J Simpson and Michael Jackson are still within recent memory and under huge scrutiny neither went well for the prosecution.

Whether live-streaming is granted or not, Dotcom won’t be giving up the fight, even if his extradition appeal fails. The entrepreneur has already stated that he’ll take his case all the way to the Supreme Court if necessary.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

In Case You Missed These: AWS Security Blog Posts from June, July, and August

Post Syndicated from Craig Liebendorfer original https://blogs.aws.amazon.com/security/post/Tx3KVD6T490MM47/In-Case-You-Missed-These-AWS-Security-Blog-Posts-from-June-July-and-August

In case you missed any AWS Security Blog posts from June, July, and August, they are summarized and linked to below. The posts are shown in reverse chronological order (most recent first), and the subject matter ranges from a tagging limit increase to recording SSH sessions established through a bastion host.

August

August 16: Updated Whitepaper Available: AWS Best Practices for DDoS Resiliency
We recently released the 2016 version of the AWS Best Practices for DDoS Resiliency Whitepaper, which can be helpful if you have public-facing endpoints that might attract unwanted distributed denial of service (DDoS) activity.

August 15: Now Organize Your AWS Resources by Using up to 50 Tags per Resource
Tagging AWS resources simplifies the way you organize and discover resources, allocate costs, and control resource access across services. Many of you have told us that as the number of applications, teams, and projects running on AWS increases, you need more than 10 tags per resource. Based on this feedback, we now support up to 50 tags per resource. You do not need to take additional action—you can begin applying as many as 50 tags per resource today.

August 11: New! Import Your Own Keys into AWS Key Management Service
Today, we are happy to announce the launch of the new import key feature that enables you to import keys from your own key management infrastructure (KMI) into AWS Key Management Service (KMS). After you have exported keys from your existing systems and imported them into KMS, you can use them in all KMS-integrated AWS services and custom applications.

August 2: Customer Update: Amazon Web Services and the EU-US Privacy Shield
Recently, the European Commission and the US Government agreed on a new framework called the EU-US Privacy Shield, and on July 12, the European Commission formally adopted it. AWS welcomes this new framework for transatlantic data flow. As the EU-US Privacy Shield replaces Safe Harbor, we understand many of our customers have questions about what this means for them. The security of our customers’ data is our number one priority, so I wanted to take a few moments to explain what this all means.

August 2: How to Remove Single Points of Failure by Using a High-Availability Partition Group in Your AWS CloudHSM Environment
In this post, I will walk you through steps to remove single points of failure in your AWS CloudHSM environment by setting up a high-availability (HA) partition group. Single points of failure occur when a single CloudHSM device fails in a non-HA configuration, which can result in the permanent loss of keys and data. The HA partition group, however, allows for one or more CloudHSM devices to fail, while still keeping your environment operational.

July

July 28: Enable Your Federated Users to Work in the AWS Management Console for up to 12 Hours
AWS Identity and Access Management (IAM) supports identity federation, which enables external identities, such as users in your corporate directory, to sign in to the AWS Management Console via single sign-on (SSO). Now with a small configuration change, your AWS administrators can allow your federated users to work in the AWS Management Console for up to 12 hours, instead of having to reauthenticate every 60 minutes. In addition, administrators can now revoke active federated user sessions. In this blog post, I will show how to configure the console session duration for two common federation use cases: using Security Assertion Markup Language (SAML) 2.0 and using a custom federation broker that leverages the sts:AssumeRole* APIs (see this downloadable sample of a federation proxy). I will wrap up this post with a walkthrough of the new session revocation process.

July 28: Amazon Cognito Your User Pools is Now Generally Available
Amazon Cognito makes it easy for developers to add sign-up, sign-in, and enhanced security functionality to mobile and web apps. With Amazon Cognito Your User Pools, you get a simple, fully managed service for creating and maintaining your own user directory that can scale to hundreds of millions of users.

July 27: How to Audit Cross-Account Roles Using AWS CloudTrail and Amazon CloudWatch Events
In this blog post, I will walk through the process of auditing access across AWS accounts by a cross-account role. This process links API calls that assume a role in one account to resource-related API calls in a different account. To develop this process, I will use AWS CloudTrail, Amazon CloudWatch Events, and AWS Lambda functions. When complete, the process will provide a full audit chain from end user to resource access across separate AWS accounts.

July 25: AWS Becomes First Cloud Service Provider to Adopt New PCI DSS 3.2
We are happy to announce the availability of the Amazon Web Services PCI DSS 3.2 Compliance Package for the 2016/2017 cycle. AWS is the first cloud service provider (CSP) to successfully complete the assessment against the newly released PCI Data Security Standard (PCI DSS) version 3.2, 18 months in advance of the mandatory February 1, 2018, deadline. The AWS Attestation of Compliance (AOC), available upon request, now features 26 PCI DSS certified services, including the latest additions of Amazon EC2 Container Service (ECS), AWS Config, and AWS WAF (a web application firewall). We at AWS are committed to this international information security and compliance program, and adopting the new standard as early as possible once again demonstrates our commitment to information security as our highest priority. Our customers (and customers of our customers) can operate confidently as they store and process credit card information (and any other sensitive data) in the cloud knowing that AWS products and services are tested against the latest and most mature set of PCI compliance requirements.

July 20: New AWS Compute Blog Post: Help Secure Container-Enabled Applications with IAM Roles for ECS Tasks
Amazon EC2 Container Service (ECS) now allows you to specify an IAM role that can be used by the containers in an ECS task, as a new AWS Compute Blog post explains. 

July 14: New Whitepaper Now Available: The Security Perspective of the AWS Cloud Adoption Framework
Today, AWS released the Security Perspective of the AWS Cloud Adoption Framework (AWS CAF). The AWS CAF provides a framework to help you structure and plan your cloud adoption journey, and build a comprehensive approach to cloud computing throughout the IT lifecycle. The framework provides seven specific areas of focus or Perspectives: business, platform, maturity, people, process, operations, and security.

July 14: New Amazon Inspector Blog Post on the AWS Blog
On the AWS Blog yesterday, Jeff Barr published a new security-related blog post written by AWS Principal Security Engineer Eric Fitzgerald. Here’s the beginning of the post, which is entitled, Scale Your Security Vulnerability Testing with Amazon Inspector:

July 12: How to Use AWS CloudFormation to Automate Your AWS WAF Configuration with Example Rules and Match Conditions
We recently announced AWS CloudFormation support for all current features of AWS WAF. This enables you to leverage CloudFormation templates to configure, customize, and test AWS WAF settings across all your web applications. Using CloudFormation templates can help you reduce the time required to configure AWS WAF. In this blog post, I will show you how to use CloudFormation to automate your AWS WAF configuration with example rules and match conditions.

July 11: How to Restrict Amazon S3 Bucket Access to a Specific IAM Role
In this blog post, I show how you can restrict S3 bucket access to a specific IAM role or user within an account using Conditions instead of with the NotPrincipal element. Even if another user in the same account has an Admin policy or a policy with s3:*, they will be denied if they are not explicitly listed. You can use this approach, for example, to configure a bucket for access by instances within an Auto Scaling group. You can also use this approach to limit access to a bucket with a high-level security need.

July 7: How to Use SAML to Automatically Direct Federated Users to a Specific AWS Management Console Page
In this blog post, I will show you how to create a deep link for federated users via the SAML 2.0 RelayState parameter in Active Directory Federation Services (AD FS). By using a deep link, your users will go directly to the specified console page without additional navigation.

July 6: How to Prevent Uploads of Unencrypted Objects to Amazon S3
In this blog post, I will show you how to create an S3 bucket policy that prevents users from uploading unencrypted objects, unless they are using server-side encryption with S3–managed encryption keys (SSE-S3) or server-side encryption with AWS KMS–managed keys (SSE-KMS).

June

June 30: The Top 20 AWS IAM Documentation Pages so Far This Year
The following 20 pages have been the most viewed AWS Identity and Access Management (IAM) documentation pages so far this year. I have included a brief description with each link to give you a clearer idea of what each page covers. Use this list to see what other people have been viewing and perhaps to pique your own interest about a topic you’ve been meaning to research. 

June 29: The Most Viewed AWS Security Blog Posts so Far in 2016
The following 10 posts are the most viewed AWS Security Blog posts that we published during the first six months of this year. You can use this list as a guide to catch up on your blog reading or even read a post again that you found particularly useful.

June 25: AWS Earns Department of Defense Impact Level 4 Provisional Authorization
I am pleased to share that, for our AWS GovCloud (US) Region, AWS has received a Defense Information Systems Agency (DISA) Provisional Authorization (PA) at Impact Level 4 (IL4). This will allow Department of Defense (DoD) agencies to use the AWS Cloud for production workloads with export-controlled data, privacy information, and protected health information as well as other controlled unclassified information. This new authorization continues to demonstrate our advanced work in the public sector space; you might recall AWS was the first cloud service provider to obtain an Impact Level 4 PA in August 2014, paving the way for DoD pilot workloads and applications in the cloud. Additionally, we recently achieved a FedRAMP High provisional Authorization to Operate (P-ATO) from the Joint Authorization Board (JAB), also for AWS GovCloud (US), and today’s announcement allows DoD mission owners to continue to leverage AWS for critical production applications.

June 23: AWS re:Invent 2016 Registration Is Now Open
Register now for the fifth annual AWS re:Invent, the largest gathering of the global cloud computing community. Join us in Las Vegas for opportunities to connect, collaborate, and learn about AWS solutions. This year we are offering all-new technical deep-dives on topics such as security, IoT, serverless computing, and containers. We are also delivering more than 400 sessions, more hands-on labs, bootcamps, and opportunities for one-on-one engagements with AWS experts.

June 23: AWS Achieves FedRAMP High JAB Provisional Authorization
We are pleased to announce that AWS has received a FedRAMP High JAB Provisional Authorization to Operate (P-ATO) from the Joint Authorization Board (JAB) for the AWS GovCloud (US) Region. The new Federal Risk and Authorization Management Program (FedRAMP) High JAB Provisional Authorization is mapped to more than 400 National Institute of Standards and Technology (NIST) security controls. This P-ATO recognizes AWS GovCloud (US) as a secure environment on which to run highly sensitive government workloads, including Personally Identifiable Information (PII), sensitive patient records, financial data, law enforcement data, and other Controlled Unclassified Information (CUI).

June 22: AWS IAM Service Last Accessed Data Now Available for South America (Sao Paulo) and Asia Pacific (Seoul) Regions
In December, AWS IAM released service last accessed data, which helps you identify overly permissive policies attached to an IAM entity (a user, group, or role). Today, we have extended service last accessed data to support two additional regions: South America (Sao Paulo) and Asia Pacific (Seoul). With this release, you can now view the date when an IAM entity last accessed an AWS service in these two regions. You can use this information to identify unnecessary permissions and update policies to remove access to unused services.

June 20: New Twitter Handle Now Live: @AWSSecurityInfo
Today, we launched a new Twitter handle: @AWSSecurityInfo. The purpose of this new handle is to share security bulletins, security whitepapers, compliance news and information, and other AWS security-related and compliance-related information. The scope of this handle is broader than that of @AWSIdentity, which focuses primarily on Security Blog posts. However, feel free to follow both handles!

June 15: Announcing Two New AWS Quick Start Reference Deployments for Compliance
As part of the Professional Services Enterprise Accelerator – Compliance program, AWS has published two new Quick Start reference deployments to assist federal government customers and others who need to meet National Institute of Standards and Technology (NIST) SP 800-53 (Revision 4) security control requirements, including those at the high-impact level. The new Quick Starts are AWS Enterprise Accelerator – Compliance: NIST-based Assurance Frameworks and AWS Enterprise Accelerator – Compliance: Standardized Architecture for NIST High-Impact Controls Featuring Trend Micro Deep Security. These Quick Starts address many of the NIST controls at the infrastructure layer. Furthermore, for systems categorized as high impact, AWS has worked with Trend Micro to incorporate its Deep Security product into a Quick Start deployment in order to address many additional high-impact controls at the workload layer (app, data, and operating system). In addition, we have worked with Telos Corporation to populate security control implementation details for each of these Quick Starts into the Xacta product suite for customers who rely upon that suite for governance, risk, and compliance workflows.

June 14: Now Available: Get Even More Details from Service Last Accessed Data
In December, AWS IAM released service last accessed data, which shows the time when an IAM entity (a user, group, or role) last accessed an AWS service. This provided a powerful tool to help you grant least privilege permissions. Starting today, it’s easier to identify where you can reduce permissions based on additional service last accessed data.

June 14: How to Record SSH Sessions Established Through a Bastion Host
A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration. For example, you can use a bastion host to mitigate the risk of allowing SSH connections from an external network to the Linux instances launched in a private subnet of your Amazon Virtual Private Cloud (VPC). In this blog post, I will show you how to leverage a bastion host to record all SSH sessions established with Linux instances. Recording SSH sessions enables auditing and can help in your efforts to comply with regulatory requirements.

June 14: AWS Granted Authority to Operate for Department of Commerce and NOAA
AWS already has a number of federal agencies onboarded to the cloud, including the Department of Energy, The Department of the Interior, and NASA. Today we are pleased to announce the addition of two more ATOs (authority to operate) for the Department of Commerce (DOC) and the National Oceanic and Atmospheric Administration (NOAA). Specifically, the DOC will be utilizing AWS for their Commerce Data Service, and NOAA will be leveraging the cloud for their “Big Data Project." According to NOAA, the goal of the Big Data Project is to “create a sustainable, market-driven ecosystem that lowers the cost barrier to data publication. This project will create a new economic space for growth and job creation while providing the public far greater access to the data created with its tax dollars.”

June 2: How to Set Up DNS Resolution Between On-Premises Networks and AWS by Using Unbound
In previous AWS Security Blog posts, Drew Dennis covered two options for establishing DNS connectivity between your on-premises networks and your Amazon Virtual Private Cloud (Amazon VPC) environments. His first post explained how to use Simple AD to forward DNS requests originating from on-premises networks to an Amazon Route 53 private hosted zone. His second post showed how you can use Microsoft Active Directory (also provisioned with AWS Directory Service) to provide the same DNS resolution with some additional forwarding capabilities. In this post, I will explain how you can set up DNS resolution between your on-premises DNS with Amazon VPC by using Unbound, an open-source, recursive DNS resolver. This solution is not a managed solution like Microsoft AD and Simple AD, but it does provide the ability to route DNS requests between on-premises environments and an Amazon VPC–provided DNS.

June 1: How to Manage Secrets for Amazon EC2 Container Service–Based Applications by Using Amazon S3 and Docker
In this blog post, I will show you how to store secrets on Amazon S3, and use AWS IAM roles to grant access to those stored secrets using an example WordPress application deployed as a Docker image using ECS. Using IAM roles means that developers and operations staff do not have the credentials to access secrets. Only the application and staff who are responsible for managing the secrets can access them. The deployment model for ECS ensures that tasks are run on dedicated EC2 instances for the same AWS account and are not shared between customers, which gives sufficient isolation between different container environments.

If you have comments  about any of these posts, please add your comments in the "Comments" section of the appropriate post. If you have questions about or issues implementing the solutions in any of these posts, please start a new thread on the AWS IAM forum.

– Craig

More on Election Security

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/08/more_on_electio.html

Andrew Appel has a good twopart essay on securing elections.

And three organizations — Verified Voting, EPIC, and Common Cause — have published a report on the risks of Internet voting. The report is primarily concerned with privacy, and the threats to a secret ballot.

Reddit Refuses to Disclose Alleged Music Leaker’s IP Address

Post Syndicated from Andy original https://torrentfreak.com/reddit-refuses-to-disclose-alleged-music-leakers-ip-address-160816/

redditpBack in June, Atlantic Records were in the final stages of releasing the track ‘Heathens’ by the platinum-certified band Twenty One Pilots. Things didn’t go to plan.

The track, which was also set to appear on “Suicide Squad: The Album”, was leaked online, first appearing on an anonymous Slovakian file-hosting service called Dropfile.to.

From there it’s claimed that the alleged leaker advertised that file on Reddit, posting a link which enabled any viewer to download it for free. The posting, which was made on the ‘Twenty One Pilots’ subreddit by a user called ‘twentyoneheathens’, caught the eye of Atlantic Records.

Earlier this month in the Supreme Court of the State of New York, Atlantic described how the leak had ruined its plans for the release and promotion of the track. Underlying these complaints was the belief that the leak originated close to home.

The label said it had provided an early release copy “to an extremely limited number of individuals”, including members of 21 Pilots, their manager, Atlantic and [record label] Fueled by Ramen executives, plus members of Atlantic’s radio field staff.

According to Atlantic, all of its employees who were aware of the impending release were “contractually obligated and/or under a fiduciary obligation” not to disclose its existence until June 24.

So, in order to find out who was responsible for the pre-release, Atlantic asked the Court to force Reddit to hand over the presumed leaker’s details, including his or her IP address. Reddit, however, doesn’t want to play ball.

heathens

In a response to the Court, Reddit’s legal team at Harris Beach PLLC say that Atlantic’s claims fail to reach the standards required for discovery.

“In order to obtain pre-action discovery, Atlantic must demonstrate now that it has meritorious claims against the Reddit user. However, Atlantic has failed to show that its claims are meritorious for two, simple reasons,” Reddit begins (pdf).

“First, it has failed to establish that it has a contractual relationship with the Reddit user. Second, it has failed to establish that it has a fiduciary relationship with the Reddit user. Because Atlantic has not demonstrated that it has meritorious causes of action against the unidentified Reddit user, its petition for pre-action discovery related to such user should be denied.”

The problem lies with Atlantic’s allegation that the person responsible for the leak and the link on Reddit is under contract with the company. Reddit’s lawyers point out that while the label is clear about what action it would take in that instance, it has made no statement detailing what it would do if the person who posted the link on Reddit is disconnected from the initial leak.

“Atlantic does not describe the claims it would bring against a non-employee Reddit user who discovered the link on Dropfile.to and posted it to Reddit.com without assistance from an Atlantic employee or an employee of Fueled by Ramen, the members of Twenty One Pilots, or their manager, each of whom had access to the song at the time of the leak,” Reddit writes.

Underlining its concerns, Reddit points out that Atlantic provides no proof to back up its claims that the “individual or individuals” who uploaded the file to Dropfile.to also posted the link to Reddit.

“[T]he Reddit user may have been a member of the general public, who, after discovering the Dropfile.to link on another publicly available website, decided to resubmit it to Reddit.com. A member of the public would not likely have a contractual relationship with Atlantic that was breached and Atlantic has not alleged as much.”

Furthermore, Reddit says Atlantic has not advised the Court of any efforts made to obtain the alleged poster’s details from Dropfile.to. While that might indeed be the case, the operator of Dropfile previously informed TorrentFreak that his site is completely anonymous and carries no logs, so identifying any user would be impossible.

In closing, Reddit describes Atlantic’s effort as an “impermissible fishing expedition” and asks for its petition for pre-action discovery to be denied. However, should the Court decide otherwise, Reddit has asked for a cap to be placed on the amount of data it must hand over.

“Presently, Atlantic’s subpoena requests not only information related to the user twentyoneheathens, but also for information related to ‘all and any other Reddit accounts which accessed [Reddit’s] service from the same IP address on or about June 15, 2016’,” Reddit notes.

“While such users may share an IP address, they otherwise have no relationship among them. For this reason, any order requiring pre-action discovery should be limited to information directly related to the user twentyoneheathens and not violate the privacy interests of any Reddit users sharing the IP address.”

While Reddit is digging in its heels now, it seems likely that at some point the Court will indeed order the alleged leaker’s IP address to be handed over. However, only time will tell what action Atlantic will publicly take. Leaks are potentially embarrassing, so making their findings widely known may not be a priority.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Court Affirms $25m Piracy Verdict Against Cox, Rejects Spying Request

Post Syndicated from Ernesto original https://torrentfreak.com/court-affirms-25m-piracy-verdict-against-cox-rejects-spying-request-160810/

cox-logoLast December a Virginia federal jury ruled that Internet provider Cox Communications was responsible for the copyright infringements of its subscribers.

The ISP was found guilty of willful contributory copyright infringement and ordered to pay music publisher BMG Rights Management $25 million in damages.

The verdict was a massive victory for the music licensing company and nothing short of a disaster for Cox.

Hoping to escape the jury verdict, the Internet provider renewed its motion for judgment as a matter of law. Alternatively, the ISP asked the court to grant a new trial.

For its part, BMG asked the court to issue a permanent injunction against Cox, requiring the Internet provider to terminate the accounts of pirating subscribers and monitor and prevent future infringements.

After a review, the court ruled on the matter this week. In his opinion Judge Liam O’Grady affirms the $25 million judgment against Cox, while denying the motions for judgment as a matter of law or a new trial.

In the verdict, the court upholds the conclusions of the jury. Among other things, it rules that there is sufficient evidence for a jury to conclude that Cox is responsible for the infringements that occurred on its network.

The fact that the ISP chose not to forward BMG’s notices and settlement requests to its customers to protect them from extortion-like practices, doesn’t change this.

“Whether or not Cox’s effort to protect its customers from Rightscorp was noble or well-intentioned, Cox could not also turn a blind eye to specific infringement occurring on its network,” Judge O’Grady writes.

The court acknowledges that his decision will have widespread consequences for other ISPs and Internet services, and hints that further litigation could help to clarify what’s allowed and what not.

“In reaching this conclusion, the Court acknowledges that the application of traditional contributory infringement to large intermediaries like Cox magnifies the uncertainties in this area of the law and raises the specter of undesirable consequences that may follow.

“This case may provide the vehicle for consideration of those questions,” Judge O’Grady adds.

The above means that the $25 million judgment against Cox is upheld.

cox25

While the ISP will be disappointed with this outcome, it will be pleased to see that BMG’s request for a permanent injunction was also denied.

The music licensing group requested a permanent injunction against Cox, requiring the Internet provider to expose the personal details of pirating subscribers, and monitor their actions to limit or prevent further infringements.

The court rules that the requested injunction is too vague. BMG failed to explain what actions the ISP would have to take, and Judge O’Grady notes that “limit” and “prevent” are two entirely different things.

Among other things, BMG suggested that the ISP could ‘spy’ on its subscribers by using deep packet inspection, but it failed to provide more specifics.

“Perhaps, as BMG suggests, Cox could require a subscriber to remove BitTorrent from their computers in order to remain on the network. Aside from the obvious point that this does not appear in the injunction, there was minimal testimony about deep packet inspection or its viability as a court-ordered solution here,” O’Grady writes.

In addition, the court also rejects BMG’s request to receive email addresses, phone numbers and other personal details of repeat infringers, which would put the privacy of Cox subscribers at risk.

In his decision to deny the permanent injunction, Judge O’Grady weighs in the fact that BMG waited for several years to take action.

“The Court does not question the harm BMG suffers each time a work becomes available on BitTorrent, but BMG has not sufficiently articulated how maintaining its years-long status quo outweighs the burden it wishes to place on Cox.”

Both sides have yet to comment on the court’s ruling but considering the importance, it is likely that Cox will appeal the case to a higher court.

A full copy of Judge O’Grady’s memorandum of opinion is available here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

EFF Announces 2016 Pioneer Award Winners

Post Syndicated from ris original http://lwn.net/Articles/696860/rss

The Electronic Frontier Foundation (EFF) has announced
the winners of the 2016 Pioneer Awards: “Malkia Cyril of the Center for Media Justice, data protection activist Max Schrems, the authors of the “Keys Under Doormats” report that counters calls to break encryption, and the lawmakers behind CalECPA—a groundbreaking computer privacy law for Californians.

Telegram Hack – Possible Nation State Attack By Iran

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/NATE__J1uuA/

So there’s been a lot of news lately about the Telegram hack and how 15 million accounts were compromised, which is not technically true. There’s 2 vectors of attack at play here, both of which regard Iranian users, but are not connected (other than the attackers probably being the same group). So the two attacks […]

The post Telegram Hack…

Read the full post at darknet.org.uk

Customer Update: Amazon Web Services and the EU-US Privacy Shield

Post Syndicated from Stephen Schmidt original https://blogs.aws.amazon.com/security/post/Tx154OKLVWMHKVW/Customer-Update-Amazon-Web-Services-and-the-EU-US-Privacy-Shield

Recently, the European Commission and the US Government agreed on a new framework called the EU-US Privacy Shield, and on July 12, the European Commission formally adopted it. Amazon Web Services (AWS) welcomes this new framework for transatlantic data flow. 

As the EU-US Privacy Shield replaces Safe Harbor, we understand many of our customers have questions about what this means for them. The security of our customers’ data is our number one priority, so I wanted to take a few moments to explain what this all means.

The new EU-US Privacy Shield does not impact AWS customers for two reasons. First, customers using AWS have full control of the movement of their data and have always had the choice of the region in which their data is kept. AWS customers choose the AWS region where their data will be stored and can be assured that their data will remain there unless moved by them. Second, for customers who wish to transfer personal data from an AWS region in the European Economic Area (EEA) to one in another part of the world, including the US. AWS customers can do this in compliance with EU data protection law under the terms of the AWS Data Processing Addendum with Model Clauses, which was approved in 2015 by the EU data protection authorities (called the Article 29 Working Party). These options are available to all AWS customers who are processing personal data, whether they are established in, or a global company operating in, the EEA.

Additionally, Amazon.com, Inc. is taking the necessary steps to certify under the EU-US Privacy Shield (as of August 1, companies can begin the process of certifying themselves against it). Upon completion of this process, AWS will be covered under this certification.

For customers not looking to transfer data out of the EEA, we continue to give them all of the security, privacy, and control they have always had with AWS:

  • Customers maintain ownership of their content and select which AWS services process, store, and host their data.
  • Customers concerned about security can encrypt their content in transit or at rest, and we also provide customers with the option to manage their own encryption keys—or we can do this for them.
  • Customers determine the location in which their data is stored and completely control any movement of that data. This allows customers to deploy AWS services in the locations of their choice, in accordance with their specific geographic requirements, including in established AWS regions in Dublin and Frankfurt—meaning customers can keep their content in the EU.
  • Customers will soon have the option to store their content in the UK when the AWS UK Region becomes available by the beginning of next year. This region will provide the same high levels of control, security, and data privacy customers receive in AWS’s other global regions.

European customers were among the first to adopt AWS services when we launched in 2006 and they have continued to move their mission-critical workloads to AWS at a rapid pace. Customers of every size, from every European country, and every industry, running all imaginable workloads, have been moving to AWS. We will continue to work closely with our customers across the EEA to help them move to the AWS Cloud, and we look forward to seeing the continued innovation and growth of all European businesses.

At AWS, security is our top priority, and we will continue to work vigilantly to ensure that our customers are able to continue to enjoy the benefits of AWS securely, compliantly, and without disruption in Europe and around the world.

– Steve

ISP: We’re Not The Internet Piracy Police

Post Syndicated from Ernesto original https://torrentfreak.com/isp-were-not-the-internet-piracy-police-160802/

piratkeybAround the world copyright holder groups are lobbying for increased efforts to combat online piracy.

The situation is no different in Sweden, where the Black Market Watch group just published a report calling for increased cooperation from stakeholders such as advertisers and ISPs.

In an opinion piece for DN, Internet providers are accused of handsomely profiting from their inaction, generating an estimated 2.5 billion Swedish krona ($230 million) from piracy.

“According to our calculations, revenue for Swedish Internet providers potentially exceeds two-and-a-half billion kronor a year, much more than the pirate sites earn,” Black Market Watch co-founder Karl Lallerstedt writes, together with the report’s co-author Waldemar Ingdahl.

They argue that Internet providers are in a unique position to prevent copyright infringement, as they can see what their users do online and have the means to block websites.

Speaking with IDG, Jon Karlung, CEO of Internet provider Bahnhof, refutes these calls and discredits the profit claims as lobbyist nonsense.

“It is pure nonsense, there is no truth in it. This is the work of their business lobbyists who want to put more responsibility on us. Our task is to ensure an internet with free movement, not playing cops,” he says.

Ideally, rightholders would like to see a series of measures being introduced to combat copyright infringement. This includes easier domain name seizures, increased anti-piracy efforts from law enforcement and ISPs, plus better education about the risks of piracy.

According to Karlung, Bahnhof already does enough to alert subscribers about unsafe sites. It is also happy to assist law enforcement but the company doesn’t see itself proactively policing its network to catch pirates.

“We inform users about unsafe sites today, and we will continue to do so without copyright holders instructing us what to do,” Karlung says.

“If there is merit to the Swedish legislation, we will help the police if they can show in a documented manner that the servers are being used for illegal activities. But it is not our job to act, they themselves must identify the type of activities.”

The copyright holder requests go directly against one of the core goals of the company – protecting the privacy of its subscribers. In recent years the Internet provider has fought hard to guarantee this right.

Bahnhof has been a major opponent of extensive data retention requirements, launched a free VPN to its users, and recently vowed to protect subscribers from a looming copyright troll invasion.

Given the above, it’s unlikely that rightsholders can expect much voluntary cooperation from Bahnhof.

This stance doesn’t come as a surprise, and the report suggests that rightsholders should demand new legislation from Swedish lawmakers to force ISPs and other stakeholders into action.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

ЕС-САЩ: Щит за личните данни

Post Syndicated from nellyo original https://nellyo.wordpress.com/2016/08/02/dp_eu_us/

Европейската комисия е декларирала нееднократно, че се стреми да постигне високи стандарти за закрила на неприкосновеността на личния живот в рамките на споразумението за защита на данните между ЕС и САЩ.

В началото на февруари 2016 г.   Комисията одобри   постигнатото политическо споразумение със САЩ и се произнесе, че новата рамка  ще осигури защита на основните права на европейските граждани при предаване на данните им на Съединените американски щати и ще гарантира правна сигурност за предприятията.

 

След като получи становището на работната група по член 29 (органи по защита на данните) от 13 април и резолюцията на Европейския парламент от 26 май, Комисията завърши процедурата по приемане на  „Щит за личните данни в отношенията между ЕС и САЩ“на 12 юли 2016 г.

Според ЕК, защитата на неприкосновеността на личния живот в отношенията между ЕС и САЩ (EU-US Privacy Shield) отразява изискванията, установени от Съда на ЕС в решението му от 6 октомври 2015 г., с което старата рамка относно сферата на неприкосновеност на личния живот беше отменена.

Ето предварително становище от февруари (резюме) и становище от май  на надзорния орган за защита на личните данни 4/2016 относно щита за личните данни.

Както ЕК обяви, решението влиза в сила незабавно,  а за САЩ   рамката за Щита за личните данни се публикува  във Федералния регистър, който е еквивалентът на Официалния вестник на ЕС. Министерството на търговията на САЩ ще започне да прилага Щита за личните данни. След като дружествата са имали възможност да проучат рамката и да приведат дейността си в съответствие с нея, те ще могат да се сертифицират пред Министерството на търговията, считано от 1 август.

Решение относно адекватността

Приложения

Въпроси и отговори

Факти

Съобщение: Трансатлантически потоци от данни: Възстановяване на доверието чрез солидни гаранции

Filed under: Digital, EU Law, Media Law

ЕС: Директива 2002/58/, личната неприкосновеност в електронните съобщения

Post Syndicated from nellyo original https://nellyo.wordpress.com/2016/08/02/2002-58-2-2/

Стана известно Становището 5/2016 на Европейския надзорник за защитата на личните данни за ревизията на Директива 2002/58 за личните данни и личната неприкосновеност в електронните съобщения (ePrivacy Directive).

През 2015 г. надзорният орган издаде и по-общи препоръки относно опциите за ревизия на правната рамка на защитата на личните данни в ЕС. Те съдържат оценка на ревизията.

Според надзорния орган, законодателството е изкуство на възможното. “Резултатът няма да бъде идеален според нас, но ние сме готови да помогнем на институциите да постигнат възможно най-добрия резултат.  Движени сме от три задължителни съображения:
—по-добро решение за гражданите,
—правила, които ще работят на практика,
—правила, които ще останат в сила едно поколение.”

Filed under: Digital, EU Law, Media Law

Amazon Cognito Your User Pools is Now Generally Available

Post Syndicated from Vikram Madan original https://blogs.aws.amazon.com/security/post/Tx13NVD4AWG9QK9/Amazon-Cognito-Your-User-Pools-is-Now-Generally-Available

Amazon Cognito makes it easy for developers to add sign-up, sign-in, and enhanced security functionality to mobile and web apps. With Amazon Cognito Your User Pools, you get a simple, fully managed service for creating and maintaining your own user directory that can scale to hundreds of millions of users.

With today’s launch, user pools adds:

  • Device remembering – Amazon Cognito can remember the devices from which each user signs in.
  • User search – Search for users in a user pool based on an attribute.
  • Customizable email addresses – Customize the "from" email address of emails you send to users in a user pool.
  • Attribute permissions – Set fine-grained permissions for each user attribute.
  • Custom authentication flow – Use new APIs and AWS Lambda triggers to customize the sign-in flow.
  • Admin sign-in – Your app can now sign in users from back-end servers or Lambda functions. 
  • Global sign-out – Allow a user to sign out from all signed-in devices or browsers.
  • Custom expiration period – Set an expiration period for refresh tokens.
  • Amazon API Gateway integration – Allow user pool authentications to authorize Amazon API Gateway requests.

You benefit from the security and privacy best practices of AWS, and retain full control of your user data.

Amazon Cognito is now also available in the US West (Oregon) Region in addition to the US East (N. Virginia), Asia Pacific (Tokyo), and EU (Ireland) Regions. To begin using this new feature of Amazon Cognito, see the Amazon Cognito page.

To learn more, see the AWS Blog and the related documentation.

– Vikram 

Real-World Security and the Internet of Things

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/07/real-world_secu.html

Disaster stories involving the Internet of Things are all the rage. They feature cars (both driven and driverless), the power grid, dams, and tunnel ventilation systems. A particularly vivid and realistic one, near-future fiction published last month in New York Magazine, described a cyberattack on New York that involved hacking of cars, the water system, hospitals, elevators, and the power grid. In these stories, thousands of people die. Chaos ensues. While some of these scenarios overhype the mass destruction, the individual risks are all real. And traditional computer and network security isn’t prepared to deal with them.

Classic information security is a triad: confidentiality, integrity, and availability. You’ll see it called “CIA,” which admittedly is confusing in the context of national security. But basically, the three things I can do with your data are steal it (confidentiality), modify it (integrity), or prevent you from getting it (availability).

So far, Internet threats have largely been about confidentiality. These can be expensive; one survey estimated that data breaches cost an average of $3.8 million each. They can be embarrassing, as in the theft of celebrity photos from Apple’s iCloud in 2014 or the Ashley Madison breach in 2015. They can be damaging, as when the government of North Korea stole tens of thousands of internal documents from Sony or when hackers stole data about 83 million customer accounts from JPMorgan Chase, both in 2014. They can even affect national security, as in the case of the Office of Personnel Management data breach by — presumptively — China in 2015.

On the Internet of Things, integrity and availability threats are much worse than confidentiality threats. It’s one thing if your smart door lock can be eavesdropped upon to know who is home. It’s another thing entirely if it can be hacked to allow a burglar to open the door — or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car’s location.

With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the Internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.

Today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway. We’re worried about manipulated counts from electronic voting machines, frozen water pipes through hacked thermostats, and remote murder through hacked medical devices. The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.

The increased risks come from three things: software control of systems, interconnections between systems, and automatic or autonomous systems. Let’s look at them in turn:

Software Control. The Internet of Things is a result of everything turning into a computer. This gives us enormous power and flexibility, but it brings insecurities with it as well. As more things come under software control, they become vulnerable to all the attacks we’ve seen against computers. But because many of these things are both inexpensive and long-lasting, many of the patch and update systems that work with computers and smartphones won’t work. Right now, the only way to patch most home routers is to throw them away and buy new ones. And the security that comes from replacing your computer and phone every few years won’t work with your refrigerator and thermostat: on the average, you replace the former every 15 years, and the latter approximately never. A recent Princeton survey found 500,000 insecure devices on the Internet. That number is about to explode.

Interconnections. As these systems become interconnected, vulnerabilities in one lead to attacks against others. Already we’ve seen Gmail accounts compromised through vulnerabilities in Samsung smart refrigerators, hospital IT networks compromised through vulnerabilities in medical devices, and Target Corporation hacked through a vulnerability in its HVAC system. Systems are filled with externalities that affect other systems in unforeseen and potentially harmful ways. What might seem benign to the designers of a particular system becomes harmful when it’s combined with some other system. Vulnerabilities on one system cascade into other systems, and the result is a vulnerability that no one saw coming and no one bears responsibility for fixing. The Internet of Things will make exploitable vulnerabilities much more common. It’s simple mathematics. If 100 systems are all interacting with each other, that’s about 5,000 interactions and 5,000 potential vulnerabilities resulting from those interactions. If 300 systems are all interacting with each other, that’s 45,000 interactions. 1,000 systems: 12.5 million interactions. Most of them will be benign or uninteresting, but some of them will be very damaging.

Autonomy. Increasingly, our computer systems are autonomous. They buy and sell stocks, turn the furnace on and off, regulate electricity flow through the grid, and — in the case of driverless cars — automatically pilot multi-ton vehicles to their destinations. Autonomy is great for all sorts of reasons, but from a security perspective it means that the effects of attacks can take effect immediately, automatically, and ubiquitously. The more we remove humans from the loop, faster attacks can do their damage and the more we lose our ability to rely on actual smarts to notice something is wrong before it’s too late.

We’re building systems that are increasingly powerful, and increasingly useful. The necessary side effect is that they are increasingly dangerous. A single vulnerability forced Chrysler to recall 1.4 million vehicles in 2015. We’re used to computers being attacked at scale — think of the large-scale virus infections from the last decade — but we’re not prepared for this happening to everything else in our world.

Governments are taking notice. Last year, both Director of National Intelligence James Clapper and NSA Director Mike Rogers testified before Congress, warning of these threats. They both believe we’re vulnerable.

This is how it was phrased in the DNI’s 2015 Worldwide Threat Assessment: “Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial-of-service operations and data-deletion attacks undermine availability. In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e. accuracy and reliability) instead of deleting it or disrupting access to it. Decision-making by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.”

The DNI 2016 threat assessment included something similar: “Future cyber operations will almost certainly include an increased emphasis on changing or manipulating data to compromise its integrity (i.e., accuracy and reliability) to affect decision making, reduce trust in systems, or cause adverse physical effects. Broader adoption of IoT devices and AI — in settings such as public utilities and healthcare — will only exacerbate these potential effects.”

Security engineers are working on technologies that can mitigate much of this risk, but many solutions won’t be deployed without government involvement. This is not something that the market can solve. Like data privacy, the risks and solutions are too technical for most people and organizations to understand; companies are motivated to hide the insecurity of their own systems from their customers, their users, and the public; the interconnections can make it impossible to connect data breaches with resultant harms; and the interests of the companies often don’t match the interests of the people.

Governments need to play a larger role: setting standards, policing compliance, and implementing solutions across companies and networks. And while the White House Cybersecurity National Action Plan says some of the right things, it doesn’t nearly go far enough, because so many of us are phobic of any government-led solution to anything.

The next president will probably be forced to deal with a large-scale Internet disaster that kills multiple people. I hope he or she responds with both the recognition of what government can do that industry can’t, and the political will to make it happen.

This essay previously appeared on Vice Motherboard.

BoingBoing post.

The NSA and "Intelligence Legalism"

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/07/the_nsa_and_int.html

Interesting law journal paper: “Intelligence Legalism and the National Security Agency’s Civil Liberties Gap,” by Margo Schlanger:

Abstract: This paper examines the National Security Agency, its compliance with legal constraints and its respect for civil liberties. But even if perfect compliance could be achieved, it is too paltry a goal. A good oversight system needs its institutions not just to support and enforce compliance but also to design good rules. Yet as will become evident, the offices that make up the NSA’s compliance system are nearly entirely compliance offices, not policy offices; they work to improve compliance with existing rules, but not to consider the pros and cons of more individually-protective rules and try to increase privacy or civil liberties where the cost of doing so is acceptable. The NSA and the administration in which it sits have thought of civil liberties and privacy only in compliance terms. That is, they have asked only “Can we (legally) do X?” and not “Should we do X?” This preference for the can question over the should question is part and parcel, I argue, of a phenomenon I label “intelligence legalism,” whose three crucial and simultaneous features are imposition of substantive rules given the status of law rather than policy; some limited court enforcement of those rules; and empowerment of lawyers. Intelligence legalism has been a useful corrective to the lawlessness that characterized surveillance prior to intelligence reform, in the late 1970s. But I argue that it gives systematically insufficient weight to individual liberty, and that its relentless focus on rights, and compliance, and law has obscured the absence of what should be an additional focus on interests, or balancing, or policy. More is needed; additional attention should be directed both within the NSA and by its overseers to surveillance policy, weighing the security gains from surveillance against the privacy and civil liberties risks and costs. That attention will not be a panacea, but it can play a useful role in filling the civil liberties gap intelligence legalism creates.

This is similar to what I wrote in Data and Goliath:

There are two levels of oversight. The first is strategic: are the rules we’re imposing the correct ones? For example, the NSA can implement its own procedures to ensure that it’s following the rules, but it should not get to decide what rules it should follow….

The other kind of oversight is tactical: are the rules being followed? Mechanisms for this kind of oversight include procedures, audits, approvals, troubleshooting protocols, and so on. The NSA, for example, trains its analysts in the regulations governing their work, audits systems to ensure that those regulations are actually followed, and has instituted reporting and disciplinary procedures for occasions when they’re not.

It’s not enough that the NSA makes sure there is a plausible legal interpretation that authorizes what they do. We need to make sure that their understanding of the law is shared with the outside world, and that what they’re doing is a good idea.

EDITED TO ADD: The paper is from 2014. Also worth reading are these two related essays.

isoHunt Founder Settles with Music Industry for $66 Million

Post Syndicated from Ernesto original https://torrentfreak.com/isohunt-founder-settles-cria-66-million/

isohunt-fredomAfter years of legal battles, isoHunt and its founder Gary Fung are free at last.

Today, Fung announced that he has settled the last remaining lawsuit with Music Canada, formerly known as the Canadian Recording Industry Association (CRIA).

“After 10 long years, I’m happy to announce the end of isoHunt’s and my lawsuits,” Fung says, noting that he now owes the Canadian music group $66 million.

The multi-million dollar agreement follows an earlier settlement with the MPAA, for $110 million, on paper. While most site owners would be devastated, Fung has long moved beyond that phase and responds rather sarcastically.

“And I want to congratulate both Hollywood and CRIA on their victories, in letting me off with fines of $110m and $66m, respectively. Thank you!” he notes, adding that he’s “free at last”.

The consent order (pdf) signed by the Supreme Court of British Columbia prohibits isoHunt’s founder from operating any file-sharing site in the future.

It further requires Fung to pay damages of $55 million and another $10 million in aggravated punitive damages. The final million dollars is issued to cover the costs of the lawsuit.

Although isoHunt shut down 2013, it took more than two years for the last case to be finalized. The dispute initially began in the last decennium, when the Canadian music industry went after several prominent torrent sites.

In May 2008, isoHunt received a Cease and Desist letter from the CRIA in which they demanded that isoHunt founder Gary Fung should take the site offline. If Fung didn’t comply, the CRIA said it would pursue legal action, and demand $20,000 for each sound recording the site has infringed.

A similar tactic worked against Demonoid, but the isoHunt founder didn’t back down so easily. Instead, he himself filed a lawsuit against the CRIA asking the court to declare the site legal.

That didn’t work out as isoHunt’s founder had planned, and several years later the tables have been turned entirely, with the defeat now becoming final.

While the outcome won’t change anything about isoHunt’s demise, Fung is proud that he was always able to shield its users from the various copyright groups attacking it. No identifiable user data was shared at any point.

Fung is also happy for the support the site’s users have given him over the years.

“I can proudly conclude that I’ve kept my word regarding users’ privacy above. To isoHunt’s avid users, it’s worth repeating since I shutdown isoHunt in 2013, that you have my sincerest thanks for your continued support,” Fung notes.

“Me and my staff could not have done it for more than 10 years without you, and that’s an eternity in internet time. It was an interesting and challenging journey for me to say the least, and the most profound business learning experience I could not expect.”

The Canadian entrepreneur can now close the isoHunt book for good and move on to new ventures. One of the projects he just announced is a mobile search tool called “App to Automate Googling” AAG for which he invites alpha testers.

The original isoHunt site now redirects to MPAA’s “legal” search engine WhereToWatch. However, the name and design lives on via the clone site IsoHunt.to, which still draws millions of visitors per month – frustrating for the MPAA and Music Canada.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.